[Openstack] Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?
Gary Kotton
gkotton at redhat.com
Wed Mar 20 16:26:55 UTC 2013
On 03/20/2013 06:16 PM, Sylvain Bauza wrote:
> Hi,
>
> As per https://bugs.launchpad.net/quantum/+bug/1155050 and also other
> litterature, I do see doc alerts saying that Quantum L3 and DHCP
> agents must be on different hosts.
> Let me be honest, I successfully installed and configured both on the
> same physical machine, using GRE tunnels and use_namespaces = False,
> and everything is running smoothly : my VMs are getting leases and do
> have floating IPs without trouble.
Yes, this works. The problem is ensuring the network isolation. That is,
someone can make changes in the routing table on the host which will
enable one to gain access to the quantum networks. That is why we
suggest that they run on different hosts. We have a review that is open
to enable one to enforce this when the agents starts (this is disabled
by default to ensure backward compatability and to enable one to run an
all in one setup - for proof of concepts and testing)
>
> So, am I wrong ? What is the terrible thing which could happe in a
> next few days if still keeping my environment as it is ?
No, it is not terrible at all.
>
> Thanks for clarifying me,
> -Sylvain
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
More information about the Openstack
mailing list